Spear-phishing campaign targets gov addresses taken in Stratfor hack

By Kevin McCaney

Feb 16, 2012

The other shoe from the Christmas weekend hack of the intelligence analysis company Strategic Forecasting is dropping, in the form of spear-phishing e-mails to government users that appear to come from the company.

The hacker group Anonymous broke into the network of the company, which does security-related intelligence reports for clients such as the Defense Department and contractor Lockheed Martin, and stole information on thousands of accounts, including e-mail addresses and credit card numbers, and posted it online.

Shortly after the hack, the Army warned users of its Army Knowledge Online portal about the possibility of identity theft, advising them to monitor their credit cards and change their passwords.

Now, Stratfor is warning subscribers that phishers are using those e-mail addresses to send spam that appears to be from the company.

“These spam e-mails may contain malware and attachments, and may attempt to lead you to websites that look like our own,” Stratfor CEO George Friedman wrote on a page dedicated to updates about the incident. “They may also attempt to convince you to provide your private information.”

Stratfor was implementing a temporary no-link policy for its e-mail as a precaution against phishing, Friedman wrote, so if subscribers get an e-mail ostensibly from the company that contains a link, they can assume it’s malicious.

Researchers with Microsoft Malware Protection Center said the phishing e-mails going to Stratfor subscribers display the Stratfor letterhead and contain an attached PDF file titled "stratfor.pdf," which, when opened, urges the reader to download a supposed antivirus program to scan for the fictional "Win32Azee virus."

Microsoft’s researcher noted that the download link in the e-mail appears to be legitimate at first glance but on closer inspection turns out to be to a URL in Turkey (Stratfor is based in Texas).

Another tipoff to users is that the message on the PDF, in an old, manual-typewriter font, appears to be written by someone for whom English is not their first language.

The letter begins with “Dear Stratfor Reader,” and continues, “our data systems were breached and leak of data is highly possible. That is why we strongly discourage you to open e-mails and attachments from doubtful senders and urge you to check all e-mails and attachments with antivirus.”

The letter then says, “We also warn you about the distribution of harmful software through out website!” before recommending that they download the supposed antivirus program.